Legal aspects regarding research data

Legal overview regarding research data

It is common with many collaboration partners in a research project. An important consideration when it comes to data management in different collaboration agreements is that it should be clearly stated who the processor of data is, i.e. who is responsible for different stages of the data treatment. In a data management plan datahanteringsplan (Data Management Plan) one can clarify who is responsible for processing and storage of data.

It is becoming more common that funding agencies require a data management plan and also that data should be publicly available (Open data). As a public state university, KTH abides under the principle of public access to official records. This means that most research data is a public act. Exception is made for data that is within the scope of secrecy according to the Public Access to Information and Secrecy Act and data that contains sensitive personal data. In a collaboration agreement it should be clarified when reason for secrecy exists for data collected, measured or created within a research project.

It should also be clear in the agreements who will be the owner of any Intellectual Property (IP) that may arise in the research project and whether a permit to use data protected by Copyright is needed. Depending on what type of data that is generated, other agreements or assessments may also be necessary, such as data processing agreements according to GDPR.

The person responsible for processing data should also consider whether the research requires approval according to the Ethical Review Act before the project starts.

If you need more information on a certain legal aspect, you can find it below.

The Public Access to Information and Secrecy Act

KTH is a government authority which means that most research data should be treated as public documents according to The Public Access to Information and Secrecy Act (Offentlighets- och sekretesslagen). In short, this means that if there are no specific reasons for secrecy, research data should be made publicly available. Secrecy may be regulated in funding agency agreements or in collaboration agreements. Acceptable reasons for secrecy in research are described in section 3.4.4 in the KTH policy for public access to information .

GDPR and personal information

What is personal information?

All information that directly or indirectly relates to a living person.

Sensitive personal information is information regarding a person’s:

  • Ethnical origin
  • Political views
  • Religious or philosophical convictions
  • Membership in a Union
  • Health
  • Sexual life or sexual orientation
  • Genetic information
  • Biometric data that specifically identifies a unique person

Research data containing personal information should be handled according to the EU General Data Protection Regulation (GDPR) and supplementary Swedish regulations.

To be allowed to treat personal data you need to have lawful reasons to do so ( see information from Datainspektionen ). Scientific research purpose is in general a lawful basis, provided that measures to protect personal integrity is taken. The details in Swedish law regarding treatment of personal information for scientific research purposes have been the subject for a state public report (SOU)  where proposed changes will be in force 1 Jan 2019.

In some cases pseudonymization is enough to enable the publication of research data where personal information before pseudonymization was a part of the dataset. However, sensitive personal information should not be published and also requires higher security in the data management process. A special impact assessment is required when sensitive personal data is involved. This is also needed in certain other cases, such as when automated decision systems based on personal data are developed or filming in public places takes place ( see information from Datainspektionen ). If this applies to your research project, contact the Data protection officer at KTH .

If data that includes personal information is stored outside KTH servers it is important to have a data processing agreement (DPA) with the organization(s) that store or process the data.

If you want to learn more about GDPR you can go to the KTH learning module about GDPR .

The Ethical Review Act

If a research project includes research on living/deceased human subjects or includes sensitive personal information there is a need for approval according to the Ethical Review Act before starting. Approval is sought through the Ethical Review Board . When sensitive personal data is treated you need consent from the participants of the study. To read more about ethical review and consent, see the Ethical Review Board. If biological material from human subjects is collected, the samples must be treated according to the Biobanks in Medical Care Act and reported to the Swedish Bio Bank registry .

Copyright, Patents and other Intellectual Property considerations

There is no copyright for factual data/observations but copyright apply on data such as images, software code and other creative works. This means that usage of such data may require consent form the Copyright holder also for research purposes who also has the right to be contributed. The principle of public access to official records holds also for Copyright protected material and may be ordered to be made publicly available. However, the person who order the material to be publicly available cannot use the material without consent from the Copyright holder.

 If you are the creator and copyright holder you can decide to share your work under an open license where you give consent for usage of your Copyright protected material. There are different types of open licenses such as Creative Commons or different licenses for open source software/databases . You can contact KTH Library for advice on choosing a suitable license.

If considerable investments have been made to collect a large compilation of data, i.e. create a database, there may be a certain protection for the database (see 49§ Upphovsrättslagen and the EU Directive on the legal protection of databases).

It should be clearly stated in a research project agreement who owns IP that may arise in the project. The main point of view is that KTH should be responsible for research data that is produced by KTH researchers and that this data should be made available for academic use.

However, patentable inventions etc. that arise as part of research or educational activities are owned by the individual researcher/teacher – “The professor’s privilege”. Data that could be a basis for patentable inventions may in agreements be protected for a limited time by secrecy. For more information, see the KTH IP-Policy or contact KTH Innovation .

Archival act

The Archival Act regulates among other things how and what a public authority such as KTH should archive for the future world. The archive of a public authority consists of the public documents arising from the activities of the public authority. Some documentation from the research process is required to be preserved, read more about this in the KTH instruction about long time preservation of research documentation .

Support at KTH & contact info

If you have further questions regarding management of research data, contact researchdata@kth.se .